Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

loekessers writes "Breaking in to an encrypted router and
using the WiFi connection is not an criminal offense, a Dutch court ruled. (Original article in Dutch; English translation.)
WiFi hackers can not be prosecuted for breaching router security. The judge reasoned that the student didn't gain access to the computer connected to the router, but only used the router's internet connection. Under Dutch law, breaking into a computer is forbidden. A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes. Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded. "

How many "bits and bytes" does a device have to store to be declared a computer? I mean, mine stores a password, those are a few bits, where is the limit? I don't know enough about the case to comment on the details, but it seems an odd thing to base a ruling on to me.

When you are breaking and entering someones wlan, you are not accessing these parts of the router. You are only gaining access to the transmission part of the device (AccessPoint), it's like finding a way to sneakily plug a cable into someone else his network (without tresspassing on his property). The safety of the other parts is not compromised (your not using the same passphrase for the default user of the device and the wlan, are you) .

The law used to deter wireless hacking has the word computer in it. Using specific devices is always a big risk in laws with fast evolving technologies. A judge decided to formulate a definition of the word computer. I personally think it was a good call, though I don't want any unautorized access to my wlan myself.

If you want to argue this should be illegal, a better comparison would be to compare it with stealing electricity.

It *is* stealing electricity - in small amounts. It also is trespassing into private property, eavesdropping on private communication, "breach of confidence, perpetrated for profit", i.e. fraud.

Forging concert tickets is illegal, sneaking into cinemas is illegal, riding the subway without a ticket is illegal. The same should apply to using a password-protected router owned by someone else without permission.

it's very comparable to those kinds of things, I'm guessing that since the hacking law was written with penalties assuming that it would be people breaking into bank servers or stealing credit card numbers the judge wasn't keen to apply such large penalties for something which has more in common with sneaking into a cinema or riding the subway without a ticket.

no you have to break the security part by altering the code running on the processor of the AP.
any router or AP has all the functional requirements to be a computer - turing et all defined this back in the 40's

The court's ruling itself can be found here [googleusercontent.com]. It's a little wonky linguistically and the frames are messy, but scroll down and you'll find some really interesting details. For your question it seems the court considered two factors - was it a computerised device (which the translation makes difficult to establish...seemingly could be read either way) and second, was there an intrusion which exposed personal data. Since the latter didn't occur it doesn't matter if the former is true.

As for other details, the case involves a guy posting a threat - on 4chan - to commit a school shooting and apparantly hacked the Wifi as a little camo'.

I've read the original article mentioned in Dutch, and the gist of it is really that it isn't illegal to simply use someone else's network (even when it is encrypted), but it would be illegal to start browsing electronic files in that network.

If any random stranger can connect to your WiFi, even if you have secured it with a reasonably strong WPA2 password, then suddenly it becomes much more difficult for large corporations to finger you for whatever kind of digital content violation happens to be popular at the time, just because your router had leased that IP from the ISP at the time.

As such, large corporations with incentive to be litigious and to forcibly equate IP with Identity for the purpo

Even if he did not cause financial loss it's still an act which should be illegal. After all, breaking into a private house is a crime even if you don't steal anything, don't read the diary of the owner, and don't damage anything in the process of breaking in.And if the connection is encrypted, you can't even say the door was wide open. "The door lock wasn't strong enough" isn't a valid excuse.

If the router was using an encrypted connection, then they should at least be a fine, but only if real intrusion was demonstrated. If it wasn't encrypted then that's the owner's fault.

The door analogy fails in the sense that your building has a specific graphical location, with which by default I am outside. A wireless signal can encroach on space that I am in and therefore includes me in that space whether I like it or not. You could argue that when I am decrypting the signal I am simply making sense of th

You keep repeating that, it makes you look dumb. There is no confidence involved because the two parties have had no communication. There's also no profit involved. You also look retarded for quoting a dictionary as opposed to the relevant Dutch law. I'd even be willing to cut you some slack if you had a layman's argument as to why this was so, but as is, you should put the crack pipe down.

Before this court ruling, I though it was illegal to access even unprotected WiFi routers, now it turns out it's legel to access protected ones.So what does this mean for all the people (both owners of routers and users) who want to enable free WiFi access; is it legal again?

It is still illegal to use the network of the neighbours. The intent of the prosecutor was to slap this 14 year old boy with jailtime. That hasn't worked. But theft of services is still illegal. The court has esthablished that theft of services when it comes to illegal use of WiFi is a civil matter, not a criminal one.

My concern is that the criteria used are overly simplistic. Clearly a breadmaker and a Blu-ray player are not computers. The satnav may be slightly closer depending on what yours does, mine certainly does all 3 of the judges criteria, storing gigs of data, processing new data, and transmitting data regularly. I wouldn't classify it as a computer either. That said I know people who use actual computers as routers, and I've seen routers with so many features that they surely seemed to be computers. Anoth

This is why having your wireless outer also be your file server is a bad idea. You are essentially getting one door to unlock to get access to all the goodies. If your drive is connected to a server with a separate level of security then you have just made it that much harder to access that data for the unauthorised.

As to the power usage thing, this is one reason why I would like to see "wake on demand" or other similar technologies take off across the board. These technologies allow you to put your compute

How many "bits and bytes" does a device have to store to be declared a computer? I mean, mine stores a password, those are a few bits, where is the limit? I don't know enough about the case to comment on the details, but it seems an odd thing to base a ruling on to me.

Don't forget that lots of the routers now have usb ports included. So you can turn your "router" into a "computer" just by plugging in a usb memory stick.

How much data are you willing to expose due to simple wireless key decryption? Secure data should be on another server with separate authentication, IMHO. ''

At one place I work the wireless connection only gives you access to the internet. If you want access to the company network, then you will have to do it using the VPN. It may sound a bit paranoid, but at least VPN security is more robust than wireless security.

Speaking as though this passed in the US, I'm mildly concerned. There are plenty of extra costs that may be incurred, such as metered bandwidth or access of illegal materials. If this were to fly, it would also necessitate that other people using your network without authorization would not come back to bite the network holder.

The issue is "should this be subject of Civil or Criminal proceedings?"

Civil litigation could include tortuous interference on the grounds of directly, or indirectly causing the network owner to incur costs from bandwidth usage or inappropriate network usage.

With small claims court having a $5,000 limit and the much lower standards of proof required for civil litigation vs criminal litigation, it seems likely that you would be more likely to get compensated for a few thousand dollars out of civil litigatio

This is exactly what this Dutch court case is about. The judges did not rule that breaking into someone's WiFi is now allowed; they ruled that it is not a criminal offence defined as "computervredebreuk" (lit. "violating a computer's peace"). It is still subject to civil proceedings. Although... interestingly, in 2008 a Dutch judge ruled that using someone else's bandwidth isn't theft because bandwidth and data "aren't goods". Maybe this jurisprudence adds up to WiFi hacking being legal, after all.

As a dutch person, I have of course followed this and the judge simply stated that with the current law, there is no ground for criminal prosecution in breaking into a PURE wifi-router. A lot of modern wifi-routers for consumers are no longer just plain routers but offer computer services like bittorrent and network attached storage.

Anyway, the judge did say you could start a civil case against the hacker.

But also keep in mind that the dutch legal system is extremely wonky, ruled by judges who are completel

But also keep in mind that the dutch legal system is extremely wonky, ruled by judges who are completely out of touch with reality.

[citations needed]

Because right now, this judge has declared that taking fuel from his car is not theft.

No, the judge has said no such thing. In fact, I wholeheartedly believe this same judge would declare the unauthorized taking of fuel from a car a criminal offense. The judge said that there is no criminal law against simply using someone else's network. And he is right: the

The judge ruled, if I'm reading it correctly, that the router did not store "personal" information, and/or the hacker did not attempt to access it.. its a bit vague

I think their laws, or previous court cases, ruled or created 'definitions' of devices that lead the judge to rule it's not a computer as it's intent is not to store a person's private information... All "computerized devices" have bits and bytes stored...

As for previous cases, the article referenced a 2008 article where 'piggybacking' on interne

Apparently Dutch courts are smart enough to recognize the spirit of the law. I wish they would teach that skill to the American courts.

In other words, a buffer is technically storage, but is not what most people mean when they say a computer has storage. When most people say storage, they mean persistent storage of user data, not buffers and not configuration. You don't claim a light switch is a computer because it saves one bit of state information do you?

Did you buy your router to store and process data? No, you bought it to move data from one place to another. That is probably the abstraction level of "process" and "store" used to define this law. Maybe the law is wrong. But remember that judges in criminal cases are not there to make "fair" or "just" rulings; they are there to apply the law as it stands. It is up to legislators and politicians to codify what is fair and just into those laws.

However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

In layman's terms, the question can generally be worded as, "Can I install apps on it, write a term paper

Just to clarify, cracking access to the disk should be criminal trespass in that you are accessing a resource (disk) that is effectively a part of my computer even though it happens to be physically attached using the network.

Seriously? Five minutes between posts for logged in users? What's wrong with this site? That's okay. I'll just click every second until it lets me post.

but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

This is true of a "general purpose computer". Have you a citation that "computer" necessarily means "general purpose computer"?

would beg to differ.
However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

Keep begging, I'm not letting you "differ"; Not with that bogus argument anyhow.

I SSH into my WRT54GL router w/ Tomato Linux firmware. [polarcloud.com] My router runs Linux from the factory and has a "firmware upgrade" option that I used to install the aforementioned Tomato Linux.

I write my own small C programs, cross compile them for the router scp (copy) them into and run them in the router. It is every bit as much a computer as a web server is -- Hint: you use the HTTP web server interface to configure most every ro

And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.

Define "hacked". I used the router's own firmware upgrade feature. My point is that "router" doesn't have to mean embedded device -- Hell, take any computer with more than 2 nics on it and you've got a router. Some of the "factory" firmware upgrades add additional features -- Clearly the functionality is PROGRAMMABLE -- Guess what, that makes it GENERAL PURPOSE.

Your problem is that you are defining a "computer" by the software that it comes with -- from the factory. I'll have you know that none of the

Your problem is that you are defining a "computer" by the software that it comes with -- from the factory.

No, I'm defining it based on the hardware's intended purpose. A router was designed to move bits around from one network to another. It was built with the absolute minimum amount of hardware needed to do a single, specific task.

By contrast, a traditional computer that happens to have two NICs was designed for general computing use, and is being used for a more limited task. There's a fairly fundamen

Depending on how you define I/O, they either do or do not pass that. I would argue that the original intent of the term was to refer to devices that provide input and output directly to the user, e.g. a keyboard and screen, in which case they don't.

Either way, the original intent of the term was to explain the difference between parts that were designed to be used for a single purpose via parts that were designed to be programmed for arbitrary computation. That distinction, thanks to economies of scale on

However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

Ever hear of DD-WRT? Optware? And no, before you say it, a firmware update is not "hacking the device" by any stretch of the imagination. By your logic, my Asus router would be a computer, but my linksys router wouldn't be.

Nonsense. Here's what Miriam Webster has to say on the issue:

computernoun, often attributive \km-pyü-tr\Definition of COMPUTER: one that computes; specifically : a programmable usually electronic device that can store, retrieve, and process data

And no, before you say it, a firmware update is not "hacking the device" by any stretch of the imagination.

Yes, it is. The manufacturer didn't design those routers with the intent that people would run their own applications on them. Sure, they might have been kind to homebrew hackers and added a little more RAM and flash than their firmware required in certain models, but clearly the assumption for these devices is that the firmware upgrade mechanism will be used for running prepackaged, manufacturer-pr

By computer, I'm using the term to mean "general purpose computer", which is how the term has been used by the vast majority of the public for at least a couple of decades. By loose enough definitions, my wristwatch is a computer. That doesn't mean it is what people intended to protect when they wrote laws protecting against computer break-ins.

An Internet kiosk either can meet those definitions but has been specifically limited by the owner (a user) by installing software so that other users cannot do tho

or the judge used a previous court ruling that determined routers do not store enough personal security information (SSN/Credit card numbers/etc.), are not used as a "Computer" (in the traditional sense), and are not designed to do so.. thus they are a "computerized device" and not a "Computer".. which pulls routers out of the "Computerized Intrusion" law -- perhaps this is covered in another law and the lawyer wanted to pin the hacker on the hardest offense he thought he could pull off

Although I'd not say that someone using such a hacked WiFi should not be punished, I find their reasoning more than questionable. I run a dual core 400 MHz P-II as a router (WLAN AP with 63 chars WEP2 key), so hacking mine would be criminal. I don't see why hacking a - properly secured - usual WLAN router box should be treated differently. I'd decide that based on the intention - if it was just for regular internet usage - OK then just give the offender a slap on his ass, but if it was to commit serious cr

Not that I have anything against hardware reuse... but seriously, if you shelled out some cash to upgrade to an Atom-based box, the reduction in electrical usage would probably be enough to recoup the cost within a year.

I know, I know. A cigar-case sized box with 3* Gbit LAN and 1* 54 Mbit (or better) WLAN capable of running IPCop or similar would cost me a little over 200 Euros. Have some more urgent problems right now, but it's on my list.

But, then I have to fear the Dutch hackers, whom I'd rather not mess with. Fortunately I could sue them here in Germany, thanks to being in the EU.:)

A switch isn't necessarily a computer but a router definitely is. Back in the day all routers were physical PC. Now they are embedded systems. And they store all sorts of information, most importantly routing information!

The only difference between a router and a switch is the network layer they operate upon - switches operate on layer 2 traffic, routers operate on layer 3 traffic (or potentially layer 4 traffic if it is doing NAT and stateful firewalling). In fact, most modern managed switches have some level of layer 3 support (e.g. IGMP snooping).

I'm not even clear that the article is talking about a router - it could very easily be talking about a wireless bridge, in which case it too is only operating on layer 2 traff

A router is a computer and it stores information. Many routers have access logs. For me breaking into an encrypted WLAN is like mechanically removing the lock from an ethernet port on private property and plugging youerself in. In the normal case you still can log what is currently going on (Wireless can not be switched, so you see all packets), and in the worst case see logs or manipulate the router without any trace.

Should i move to the netherlands, i will use a VPN service to access the internet and a ca

The case revolves around legal definitions. In laymans terms a computer sits on your desk and you type/mouse stuff into it or watch Utube. To those of us with technicial backgrounds everything containing a cpu/gpu/mpu is a computer, but trying to explain that to a non techie will be rather difficult. Just as explaining the difference between hacker and cracker, this just isn't an easy road to travel. I think given the silly ideas politicians have that we want to avoid the whole problem and let sysadmins

Vincent: So what you want to know?
Jules: Well, hacking routers is legal there, right?
Vincent: Yeah, it's legal, but it ain't a hundred percent legal. I mean, you
can't walk into a restaurant, roll out your netbook, and start wardrivin' away. They want
you to hack routers in your home or certain designated places.
Jules: Those are router bars?
Vincent: Breaks down like this, okay: it's legal to hack a router, it's legal to own one, and if you're the proprietor of a router bar, it's legal to sell r

It might be good to note, that these actions can still be prosecuted under civil law. That is, the intruder can still be held accountable for costs incurred by his use of the network. Having said that, I personally still think this should be a criminal offense, as it is a clear breach of privacy. What I do on my local network should be my business alone. Right now, the defense is required to prove eavesdropping on the network itself, which is very hard to do.

I use a old Pentium 3 running Debian as a router. Ofcourse i didn't put a wireless card in it, since i don't need wireless connectivity, i doubt most people do, it's probably out of laziness that people use it instead of just pluggin in an ethernet cable... (unless your device doesn't have an ethernet port).

By the way, you can turn off the wireless connectivity on most routers and you should, if you're not using it...

That's not to say it should be legal, but it should fall under a different law, something like "theft of services". Like whatever law applies to hooking up to somebody else's electricity or water supply.

I don't think breaking into somebody else's computer, and using their internet connection without permission are equivalent. They're done for different reasons, though they may be connected, and the seriousness isn't the same.

I disagree strongly with their ruling. If I place a password on my router and use encryption, it is OBVIOUS it is a private network. Breaking into that network for ANY reason is, essentially, trespassing and SHOULD be a criminal offense. It doesn't matter the reason.

Under their logic, I could place locks on my fences on my property, but someone would be allowed to go onto my property, pick the locks, and break into my backyard... but that is OK as long as they wear a blindfold?

Note that the neighbour has given up the password of the (ADSL) router voluntarily because the internet connection of the suspect (probably cable) was sometimes unstable. So the message was just posted over a connection differently than the one he owned, probably to disguise his location. Nonetheless, it seems he just used the internet connection, albeit in a way that is not according to Dutch law. The neighbour has just been inconvenienced and will probably now think twice when somebody asks her to share h

The results of "breaking into" a router (whether it is wide open or not) is impersonation/identity theft and theft. If someone connects and then behaves themselves, then the results of the offense are nil. The issues become apparent when the intruder downloads GB of warez and you incur overage charges from your ISP and a visit from the police.

As for breaking in itself, instead of a car analogy, let's use a bike analogy. I like near a large cottage community that has free painted community bicycles. It'

It seems the law, as the judge rules, is that you have to "Browse" through the personal information. If you hack the router and gain access, but stop there and only use it for connecting, you are not breaking the law they have. It appears "Intrusion" requires you view the information on the device...

I suppose a poor analogy would be picking the lock on a house, but not opening the door... when no law against 'lock picking' exists... which in this case also did not share the key with anyone else, nor leave t

I suppose a poor analogy would be picking the lock on a house, but not opening the door... when no law against 'lock picking' exists... which in this case also did not share the key with anyone else, nor leave the house vulnerable to another person with ill intent

A better analogy would be picking the lock, walking in, kicking your feet up on the coffee table, turning on the TV, and using their phone to call up the local pizza and/or beer delivery place. Might not be illegal, but it certainly should be.

A better analogy would be picking the lock, walking in, kicking your feet up on the coffee table, turning on the TV, and using their phone to call up the local pizza and/or beer delivery place. Might not be illegal, but it certainly should be.

The GP is wrong.In many states, merely walking around with a lockpick set is illegal.AFAIK, in all states, putting a lockpick into a keyhole is considered "entering" even if you fail to successfully pick the lock or do, but don't go inside.

Their courts already ruled using another persons internet is not illegal. This law is broken specifically when you try to go the next step (try to access personal information)

If the hacker tried to take log files, or go into another computer, or browse through files... He would likely have been covered. Since he sniffed the key and used it.. without doing gathering any personal information (except maybe "god" "password" "admin"

20 hours of community service after publically threatening to shoot everyone at a high school? What a joke.

20 hours is a bit short, but we're not talking about the US where typical children have easy access to guns and are anti-social enough to go through with it.What WOULD be a good punishment for a kid who made an idle threat on the internet?

b) Bypassing security mechanisms is the key idea behind the DMCA line of argumentation. Why is copying a DVD an illegal act and breaking into a router is not?

Believe it or not, the US laws aren't international law. Holland does have the DMCA as a part of it's laws.

c) I spent considerable amount of time composing and testing a secure WPA key, which I keep to myself like my social security number or my ID card. Therefore, my WEP key is my private sensitive personal data that should be protected by law.

Suppose you sent your wife to Best Buy to get you a computer, and she came back with a router. Are you satisfied? It does store, process and transmit information. But somehow, something seems to be missing...

No, it states that he retrieved the username/password by asking them. The found a note next to his XBox from the neighbour next door. Both she and her husband had voluntarily given this information. Extra points for trying to read Dutch articles though:)